SB2024112914 - Cross-site scripting in SEO Landing Page Generator plugin for WordPress
Published: November 29, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2024-11366)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "of add_query_arg" parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://plugins.trac.wordpress.org/browser/seo-landing-page-generator/trunk/admin/class-issslpg-admin-location-settings-page.php#L185
- https://plugins.trac.wordpress.org/browser/seo-landing-page-generator/trunk/admin/class-issslpg-admin-location-settings-page.php#L330
- https://plugins.trac.wordpress.org/browser/seo-landing-page-generator/trunk/admin/class-issslpg-admin-location-settings-page.php#L433
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197642%40seo-landing-page-generator&new=3197642%40seo-landing-page-generator&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/99dcb6c4-b9c6-4d3d-942f-b3877cc3efa7?source=cve